CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)

1. A summary of
social engineering
attacks.

2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
 PC Hardware
 Network Administration
 IT Project Management
 Network Design
 User Training
 IT Troubleshooting
Qualifications Summary
Education
 M.B.A., IT Management, Western Governor’s University
 B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.

3. Page 3
PACE-IT.
– What makes social engineering effective.
– Types of social engineering attacks.

4. Page 4
A summary of social engineering attacks.

5. Page 5
The largest vulnerability in
any system tends to be the
people who have authorized
access to the system itself.
Hackers often attempt to exploit this weakness in the system by
applying social pressure to the people who have access to the
system. It has been proven to be an effective means of breaching
data security for many years, as it relies upon some well known
exploitation principles. In actuality, social engineering doesn’t
require very much technology in order to be effective.
Even the NSA (National Security Administration) was proven to
be vulnerable to social engineering attacks. It was the main
method used by Edward Snowden to gather the illicit data he took
from the organization.
A summary of social engineering attacks.

6. Page 6
A summary of social engineering attacks.
– Reasons for effectiveness.
» Authority: the hacker impersonates an authority figure; the
victim believes that he or she must comply with the authority.
• The impersonation can occur through email, over the phone,
or even in person.
» Intimidation: the attacker uses a message that intimidates the
victim; due to fear, the victim succumbs to the pressure.
» Consensus/social proof: the hacker presents some known
facts as proof that he or she is telling the truth; the victim ends
up trusting the attacker based on the social proof.
» Scarcity: the attacker persuades the victim that what is being
offered is highly valued due to its scarcity.
• The target falls victim to human nature (usually greed)—the
Nigerian Prince scam.

7. Page 7
A summary of social engineering attacks.
– Reasons for effectiveness continued.
» Urgency: the hacker imparts a sense of situational urgency;
the victim feels like he or she has to act now to fix a situation.
• The message delivered may arrive via the telephone or email,
but it always implies that action is required now in order to
avert disaster.
» Familiarity/liking: the attacker either uses a friendly tone or
inserts herself or himself into the workplace; the victims tend to
like the attacker or feel that they can trust the attacker.
• This is one of the main methods Edward Snowden used to
gain access to the information he took from the NSA.
» Trust: the hacker exploits our human nature to trust—either by
appearing to need the victim’s help, or by offering to help the
victim.
• By appearing to be the victim of an unfortunate situation, the
attacker fools the victim into succumbing to the attack.
• The hacker may create a situation in which the victim appears
to need the attacker’s help.

8. Page 8
A summary of social engineering attacks.

9. Page 9
A summary of social engineering attacks.
– Impersonation.
» Many social engineering attacks begin with the hacker using
impersonation—the act of pretending to be somebody else.
• A common impersonation technique is where the attacker
impersonates someone of perceived authority, causing the
victim to feel as if he or she must comply.
• The attacker may impersonate someone who requires help;
for example, the attacker pretends to be an end user who
requires the assistance of a network administrator.
– Phishing.
» The hacker typically casts out a broad net of emails that appear
to be from a trusted source (e.g., a well known bank or Google)
requesting that users click on a hyperlink.
• The hyperlink connects to a malicious website and, when the
user inputs his or her credentials (as requested), the attacker
then steals the user’s credentials.
» The phishing attack may employ the principles of authority and
urgency in order to get the victim to respond.

10. Page 10
A summary of social engineering attacks.
– Whaling.
» Very similar to a phishing attack; however, instead of casting a
wide net in order to get a few responses, the hacker targets a
whale or big fish—somebody with a lot to lose.
• The hacker specifically crafts the message(s) to suit the
victim’s situation.
• The usual target is someone at the executive level of an
organization.
– Vishing.
» A phishing attack that is conducted over the telephone (voice
phishing).
– Hoax.
» Employs the principle of consensus/social proof in order to get
the victim to perform an action.
• Most hoaxes are not targeted to a specific person or
organization, but are crafted in order to cause disruption.
• Often, a hoax is perpetuated by users who don’t realize that it
is a hoax.

11. Page 11
A summary of social engineering attacks.
– Shoulder surfing.
» A type of social engineering attack that relies upon the hacker
being able to see the victim’s screen or keyboard.
• The hacker tries to steal confidential information (often a
username and password) by watching the victim’s actions.
– Dumpster diving.
» The attacker goes through the trash of a person or organization
in an effort to discover sensitive information.
• A cross-cut shredder is more effective than a strip-cut
shredder (shredded material can actually be pieced back
together).
– Tailgating.
» A social engineering attack that is usually used to bypass
physical security.
• The attacker waits or times the approach to a secure area in
order to enter right behind an authorized person.
• The victim of a tailgate attack may actually hold the door open
for the attacker.

12. Page 12
A summary of social engineering attacks.
The people with authorized access are often the largest vulnerability to any
security that is put in place. Attackers exploit this weakness and rely upon
several different principles to increase the effectiveness of their attacks.
The principles include: authority, intimidation, consensus/social proof,
scarcity, urgency, familiarity/liking, and trust.
Topic
What makes social
engineering effective.
Summary
In reality, social engineering attacks do not rely upon technology as much
as they rely upon human nature. The types of attacks used in social
engineering include: impersonation, phishing, whaling, vishing, hoaxes,
shoulder surfing, dumpster diving, and tailgating.
Types of social engineering
attacks.

13. Page 13
THANK YOU!

14. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.